In January, Apple released iOS 16.3 and macOS 13.2, along with other software updates. However, the release notes only mentioned the new iOS 16.3 features like the new unity wallpaper, Security Keys for Apple ID, support for HomePod 2, and several bug fixes.
Now, a cybersecurity research firm, Trellix has detailed the two major security vulnerabilities the tech company patched in the previous iOS 16.3 and macOS 13.2 updates which could have given attackers access to users’ sensitive information like messages, call history, photos, location, access camera and more.
iOS 16.3 and macOS 13.2 patched exploits that could gain access to users’ messages, photos, and more
The discovery of a 0-click iOS remote code called FORCEDENTRY by Citizen Lab in 2021 inspired Trellix to explore the Sandbox Escape used in the exploit as it describes a way to “dynamically execute arbitrary code in another process which completely sidestepped code signing.”
Researchers found that NSPredicate, a class used by developers to filter lists of arbitrary objects, contained “an entirely new bug class that completely breaks inter-process security in macOS and iOS.”
Although Apple removed the features used in FORCEDENTRY Sandbox Escape and introduced new mitigations to restrict the exploitation of NSPredicate, those new mitigations could be bypassed using methods that were not restricted and creating techniques with a huge range of potential vulnerabilities to access the device’s camera and microphones, location data, and more. It can erase the device.
The first vulnerability we found within this new class of bugs is in coreduetd, a process that collects data about behavior on the device. An attacker with code execution in a process with the proper entitlements, such as Messages or Safari, can send a malicious NSPredicate and execute code with the privileges of this process.
This process runs as root on macOS and gives the attacker access to the user’s calendar, address book, and photos. A very similar issue with the same impact also affects contextstored, a process related to CoreDuet. This result is similar to that of FORCEDENTRY, where the attacker can use a vulnerable XPC service to execute code from a process with more access to the device.
The appstored (and appstoreagent on macOS) daemons also possess vulnerable XPC Services. An attacker with control over a process that can communicate with these daemons could exploit these vulnerabilities to gain the ability to install arbitrary applications, potentially even including system apps.
The report thanked Apple for working with Trellix for the timely fix of the security exploits on iOS 16.3 and macOS 13.2 considering their severity.
The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else. Services that accept NSPredicate arguments and check them with insufficient NSPredicateVisitors allow malicious applications and exploit code to defeat process isolation and directly access far more resources than should be allowed.